01-28-2014 08:48 AM - edited 03-11-2019 08:37 PM
Hey guys needs some help with anyconnect config for iphone. I am able to reach the ASA - i get a certificate warning (BMS certificate - although i generated a self signed cert) Then it just disconnects. Tried connceting from anyconnect on a laptop and got this error message - Unable to process request response from (OUTSIDE ASA IP ADDRESS)
I followed the cisco document here -
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled 85 days
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
Here is my config -
ZEPPELIN# show run
: Saved
:
ASA Version 9.1(1)
!
hostname ZEPPELIN
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool SSLClientPool 172.19.20.19-172.19.20.25 mask 255.255.255.0
!
interface Ethernet0/0
description ISP-MODEM
switchport access vlan 20
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
description INTERNAL-NET
switchport access vlan 19
!
interface Ethernet0/3
description INTERNAL-NET
switchport access vlan 19
!
interface Ethernet0/4
description INTERNAL-NET
switchport access vlan 19
!
interface Ethernet0/5
description INTERNAL-NET
switchport access vlan 19
!
interface Ethernet0/6
description DMZ
switchport access vlan 99
!
interface Ethernet0/7
description DMZ
switchport access vlan 99
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan19
description INTERNAL-NET
nameif MYNETWORK
security-level 100
ip address 172.19.19.1 255.255.255.0
!
interface Vlan20
description DHCP-MODEM-INTERNET
nameif INTERNET
security-level 0
ip address dhcp setroute
!
interface Vlan99
description DMZ-NET
no forward interface Vlan19
nameif MYDMZ
security-level 50
ip address 192.168.99.1 255.255.255.0
!
ftp mode passive
object network MYNETWORK
subnet 172.19.19.0 255.255.255.0
object network MYDMZ
subnet 192.168.99.0 255.255.255.0
object network Media-PC
host 172.19.19.29
description PLEX SERVER
object network InsideVlan0
subnet 172.19.19.0 255.255.255.0
object network RemoteVPN
subnet 172.19.20.0 255.255.255.0
access-list MYNETWORK_access_in extended deny ip object Media-PC any
access-list MYNETWORK_access_in extended permit ip any any
access-list no_nat extended permit ip host 172.19.19.29 172.19.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu MYNETWORK 1500
mtu INTERNET 1500
mtu MYDMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (MYNETWORK,INTERNET) source static InsideVlan0 InsideVlan0 destination static RemoteVPN RemoteVPN
!
object network MYNETWORK
nat (MYNETWORK,INTERNET) dynamic interface
object network MYDMZ
nat (MYDMZ,INTERNET) dynamic interface
access-group MYNETWORK_access_in in interface MYNETWORK
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable 1999
http 172.19.19.0 255.255.255.0 MYNETWORK
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.cisco.com
subject-name CN=sslvpn.cisco.com
keypair sslvpnkeypair
crl configure
crypto ca trustpool policy
crypto ca certificate chain localtrust
certificate 7eabe752
308201ef 30820158 a0030201 0202047e abe75230 0d06092a 864886f7 0d010105
0500303c 31193017 06035504 03131073 736c7670 6e2e6369 73636f2e 636f6d31
1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e63 6973636f 2e636f6d
301e170d 31343031 32383134 31393333 5a170d32 34303132 36313431 3933335a
303c3119 30170603 55040313 1073736c 76706e2e 63697363 6f2e636f 6d311f30
1d06092a 864886f7 0d010902 16107373 6c76706e 2e636973 636f2e63 6f6d3081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100d4 ae408221
2e72ec62 6c1b3250 84a475c3 f34c3f47 7a41724a 748dbf66 89b1ed86 ac5933cd
9efa5051 d9246c94 08a00509 f7dacff3 e0e7e425 4ec60258 dd4951b7 0811ca01
f25189d7 9bacc81d 55053f48 597977d7 9819fd04 09104c01 fa2c5055 3ebfc81e
201620ba 0e7fe4a7 d008f41a 00634afc 427df9cb 2bf660a1 b262d702 03010001
300d0609 2a864886 f70d0101 05050003 81810007 e25f8d2c 9ac21793 b642d42d
497f4e82 6c855766 d25c610a cbd241b7 3f7ef1f3 7ddf1dbd dbd32370 79408fab
e67b76f6 bc31f04c 2b3b22c4 3cf25b8c 079de122 aae99c02 b37cca6b 06649bba
d209c103 75e3b5fc 7ea4e789 1a3f9010 131eff9b a74e06bc c6c1f7b3 f87646b1
51a73dd4 71a5ac82 b4a8f702 9019a275 cae15a
quit
telnet timeout 5
ssh 172.19.19.0 255.255.255.0 MYNETWORK
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 691200
dhcpd ping_timeout 750
!
dhcpd address 172.19.19.18-172.19.19.30 MYNETWORK
dhcpd enable MYNETWORK
!
dhcpd address 192.168.99.9-192.168.99.12 MYDMZ
dhcpd enable MYDMZ
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust INTERNET
webvpn
enable INTERNET
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain value ZEPPELIN.local
address-pools value SSLClientPool
username MThomas-x password XXXXXX
username MTVPNUser password XXXXXX
username MTVPNUser attributes
service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ZEPPELIN#
01-28-2014 10:09 AM
The FQDN sslvpn.cisco.com was only intended for example purposes. You should use an FQDN that is legitimate in your environment.
01-28-2014 10:14 AM
Thanks for the reply. I am accessing the ASA/VPN from the OUTSIDE IP ADDRESS. Should i change the FQDN to the outside ip if i dont have a domain name attached to the IP? I did test access by IP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: